SlideShare a Scribd company logo

How to Prevent Your Mobile Devices from Causing a HIPAA Violation

Dexcomm
Dexcomm

If you or any member of your staff has or can access 500 or more patient records using a mobile device, it is time to prepare a speech for the media and a check for the Office of Civil Rights because you are at risk for a HIPAA violation. Or learn how to protect your practice from a PHI breach and get HIPAA required safeguards, along with other time-saving useful resources by downloading and reading your complimentary e-book

1 of 15
Download to read offline
HIPAA COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation © 2012 Dexcomm All Rights Reserved
HIPAA & COMMUNICATION 2 Prevent Your Mobile Devices From Causing A HIPAA Violations INSIDE THIS ISSUE: Thank you for joining us for our brief introduction to HIPAA and mobile devices. As a telephone answering service serving hundreds of medical clients in many different states, we have developed strategies and skills which allow us to comply with HIPAA and to expertly serve our diverse clientele. This e-book is our effort to share our HIPAA, Medical Offices and Mobile Devices 4 experience with you and allow your office to quickly and easily become HIPAA compliant without undergoing the extensive research and expense we experienced. In doing research for this project, we came across two alarming facts: Approximately 80% of physicians use mobile devices to access Protected Health Information (PHI); only 40% of physicians place a mid-level priority on the security of their systems and Legislation 6 only 24% say it is a top priority. The reality is that physicians are using mobile devices more every day and many of the devices lack even the most basic security measures. Following a few simple steps suggested here and practicing your own due diligence can certainly save some heartache in the future. Note Board 9 Thanks for listening, How Do I Protect Mobile Devices 10 JAMEY HOPPER Tool Box & Checklist 11 Ask the Expert President Our Dedication To You 12 Appendices 13 Share this e-book!
HIPAA & COMMUNICATION Meet the Experts Prevent Your Mobile Devices From Causing A HIPAA Violation 3 You are invited to “ASK THE EXPERT” found in the bottom right-hand corner of each section. JAMEY HOPPER President STEFFY RITTER DANA LEWIS Business Manager Training Supervisor KYLE DUHON KARL SCHOTT Systems Engineer Operations Supervisor Our e-books are designed to provide information about the subject matter covered. It is distributed with the understanding that the authors and the publisher are not engaged in rendering legal, accounting, or other professional services. If legal advice or other professional assistance is required, the services of a competent professional person should be sought. Share this e-book!
HIPAA & COMMUNICATION 4 Prevent Your Mobile Devices From Causing A HIPAA Violations HIPAA, Medical Offices and Mobile Devices The amount of Protected Health Information (PHI) that could be on your employee’s phone is staggering. Access to the protected information can be as easy as unlocking a smart phone. Mobile devices collect and contain PHI such as a patient’s name and phone number or a picture of a patient’s wound while they were in the office for a routine visit. Are you prepared for a situation as simple as a member of your staff answering a call on their cell phone? Who has access to this information? What if when the employee is at home, their teenage daughter is playing with the mobile device and sees a text message that contains PHI? You now have a HIPAA violation. There is even the possibility that the daughter sees a name she recognizes and places the information on Facebook, Twitter or any other social media site. KARL SCHOTT Ask the Expert You will find a downloadable Mobile Device Policy that you can customize to your office’s needs in the Operations Supervisor Toolbox Section. Share this e-book!
HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 5 Here are just a few questions that you may want to... ask your staff think about discuss Is your smart phone password protected? Are your employees aware of the different settings within their phones for text messages? With the production of newer and There are settings which will allow only a more “tech savvy” smart phones which number or a name of the person texting to now have the capability of reading be visible. aloud an incoming text message, what procedures does your office have in place from preventing persons not privy to that information from hearing these text messages? When your office experiences a turnover in staff, are the proper procedures being followed with updates and removals of old information with new information to prevent the release of PHI to the wrong person? Are you documenting a patient’s history, such as wounds, with your camera phone? How is this patient’s EPHI protected on your phone to Are you a home health or hospice agency providing medical avoid violating HIPAA regulations? services within the homes of patients? Do your nurses answer their cell phones within the patient’s home? Are they removing themselves from the current patient’s home to avoid HIPAA violation when taking a message regarding another patient? Share this e-book!
HIPAA & COMMUNICATION 6 Prevent Your Mobile Devices From Causing A HIPAA Violations Health Insurance Portability and Accountability Act The guidance that started as an attempt for consumers to keep their health information pri- Congress realized that the advancements in technology called for additional legislation to vate and make their insurance portable has become a large legislative issue. Health Insurance protect the privacy of an individual’s health information known as Protected Health Infor- Portability and Accountability Act (HIPAA) was enacted in 1996 and updated in 2000, mation (PHI). The Privacy Rule sets standards to protect PHI transmitted electronically by 2002, 2003, 2004, 2005 and 2006! While there are many aspects that we can discuss about three covered entities; health plans, healthcare clearing houses and healthcare providers. HIPAA, we are going to focus on the specific legislation as it relates to mobile devices. The Security Rule sets standards for protecting the confidentiality, integrity and availability of all electronic PHI created, received, maintained or transmitted. The Office for Civil Rights oversees and enforces the Privacy Rule and the Security Rule. So what is protected under the Privacy Rule? Case Study Electronic Protected Health Information (EPHI) is any “individually identifiable health information maintained in electronic media or transmitted or maintained in any other form or medium”. As you can imagine, this could include everything from a patient’s A healthcare system that services Massachusetts had to send 384 letters name to private medical history. Basically, anything that would identify someone. Any notifying patients that a home health nurse’s PDA was missing. The mobile number of pieces of EPHI could be on a mobile device in order for a physician to serve device contained patients’ personal information which included social security his or her patient. Due to sensitivity of the information, it must be secured. numbers and health insurance information. The primary use of the PDA was to document care while the nurse visited with patients. Each nurse’s PDA is connected to the healthcare’s system, which updates the electronic medical records at the end of the day. STEFFY RITTER The nurse reported the loss of the PDA immediately, but the report did not reach the compliance officer for several weeks due to a “lapse of Ask the communication.” Expert The mobile device was not encrypted but did require a password. Reportedly, the healthcare system would not discount a hacker’s ability to get past the Business Manager password. They offered the patients a “security freeze” on their credit reports, and conducted in-house training on HIPAA security with all their staff. Share this e-book!
HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 7 Security Rule Methods of protection are broken down into three categories of safeguards; administrative, physical and technical. Administrative Safeguards The covered entity must identify and analyze potential risks and implement security measures that reduce Have you trained your staff on the on the proper all of your staff proper way to those risks and vulnerabilities to a reasonable and secure their mobile device according to your to your way to secure their mobile device according policy? appropriate level. policy? How many records are stored on the device? How many records are stored on the device? Physical Safeguards Implement policies and procedures regarding the transfer, disposal and reuse of electronic media. When Do your mobile devices all have passwords and are your staff members receive a new mobile device, the the passwords changed frequently? old one that contains PHI stored on it must be disposed of properly. Ensure that disposed office machinery, Is the data encrypted on their mobile devices? such as fax machines, do not contain retrievable PHI. Where is the mobile device kept if it is not being Where is the mobile device kept is it not being used? Technical Safeguards used? This section deals with access control and encryption to Does anyone in your office frequently take their Does anyone in yourwith them? mobile device home office frequently take their make sure that only those authorized view PHI and that mobile device home with them? transmission of data is secure. So what does that really mean? It means that all PHI that is stored in any format must be protected and staff must be trained with all of your procedures that accomplish said protection. Share this e-book!
HIPAA & COMMUNICATION 8 Prevent Your Mobile Devices From Causing A HIPAA Violations Health Information Technology for Economic and Clinical Health Act, 2009 The Health Information Technology for Economic and Clinical Health (HITECH) Act was CPA, attorney, and other professional service organizations that may see PHI also signed into law as part of the American Recovery and Reinvestment (ARRA) Act of 2009. have to comply. Penalties have increased and are now being levied. Fines range The main focus of HITECH was to encourage the use of health information technology. from $100 in a “did not know” offense to $1,500,000 for “willful neglect”. If a breach does happen that contains over 500 records, the media must be Several changes were made with this legislation, including that business associates notified. Finally, each State Attorney General may now prosecute separately are now subject to the same requirements as covered entities. Not only do you from the Department of Health and Hospitals Secretary (HHS), making fines a have to comply with all of the HIPAA rules but now your answering service, serious issue in the event of a breach. So what does this really mean? Given all of the above legislation and the large number of mobile devices on the market and in our businesses today, it has become difficult for physician offices and their business associates to manage all of the devices. Everything from a USB flash drive to an electronic tablet or even a camera phone has become a potential source of a PHI breach. It is important that you craft a mobile device policy that allows you to reasonably meet all of the rules. Administering this policy and knowing that you have done what the law requires will allow you a better night’s sleep. Case Study December 11, 2007. Dr. Adam Hansen, Chief Resident of General Surgery at Enforcement Results. January 1, 2010 through December 31, 2010. the Mayo Clinic Phoenix Hospital, admitted taking inappropriate photos of a Accessed 15 Feb. 2012. <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.html> patient, who was under anesthesia during an operation, and showing the pictures to his colleagues. The doctor is no longer employed with Mayo and the patient contacted his attorney. Share this e-book!
HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 9 NOTE BOARD in a Case Study evices mobile d ses for Com mon u tting: clin ical se Mobile devices are not only used to input information, but they can also be abase nt dat on used maliciously with the digital camera found in the cell phone. Rady *Patie t informati tac *Con sults Children’s Hospital in San Diego, CA forbade employees from carrying cell re *Test y schedules phones after investigators found photos of children on a respiratory therapist’s r *Surge ure lists computer and cell phone. The therapist had been molesting many of the ed *Proc iptions r *Presc severely disabled children while under his care. The therapist later pleaded guilty to child molestation and pornography and was sentenced to 45 years in prison. Note: The Office of Civil Rights (OCR) will notify a covered entity of a Transmitting text messages without encryption that has private health Failure to Comply and provide them information is as easy as two doctors texting each other to follow up on the opportunity to produce written the previous days patients. One doctor might text, “What happened with evidence of above circumstances that that critical patient last night.” The other doctor might respond, “She was diagnosed with an infection, admitted to the hospital, room 214.” would reduce or bar a penalty. For the spying eyes in a crowded elevator, they would have all the iden- tifiable information for that patient including the gender, the diagnosis, and the room the patient was located to cause a breach in HIPAA. Share this e-book!
HIPAA & COMMUNICATION 10 Prevent Your Mobile Devices From Causing A HIPAA Violations How Do I Protect Mobile Devices... Technical Safeguards There are three safeguards to protect your mobile devices that are used to access or store If the electronic PHI is stored and transmitted in encrypted form, then you do not need to EPHI under the responsibility of a HIPAA compliant entity utilizing HIPAA’s Security notify patients if there is a security breach. Any data can be encrypted. Encryption is a Rule. process that converts plain text into cipher text that is unreadable to any unintended enti- ty who has accessed the file without “permission.” It works by using a mathematical algo- Administrative Safeguards rithm called keys that code and decode the cipher text. This process is performed by com- Start by taking an inventory of all of the devices within your practice that are used to puter programs or specific hardware access and/or store EPHI. We recommend including what the device is intended for in designed for this purpose. regards to use/access to EPHI. To take this up a level, include the operating system the HHS states that any HIPAA compliant device is using. Remember your inventory will need regular updating depending on entity is not exempt from the breach changes in employment and system updates. Tip: Set reminders in your calendar. notification requirements if the entity Review your practice’s policies to make sure they encompass mobile devices. Training keeps the keys on the same device as and enforcement is, as always, the key to your practice’s success. the encrypted data. Ask your vendor before selecting your encryption prod- Physical Safeguards uct. Keys can be stored on a USB flash drive, a key server or be regenerated as Just like anything you want to protect, keep it in a safe location. Ensure that all devices needed. For more information visit are never left unattended, and are locked in a drawer or in an office when not in use. HIPAA Security Rule FAQ Regarding When outside of your office, make sure the device is either always with the person re- Encryption. On your computer, pro- sponsible for it or in a secure location such as a glove box or car trunk. It only takes a grams such as Microsoft® Encrypting second for someone to grab such a small item. Remember that if the item is lost or sto- File System (EFS) are built-in encryp- len, report it immediately! tion programs that are easy to use by just changing the properties of the folder. Click here for a full list of programs. KYLE DUHON The same protection extends to your mobile devices, which should also be password pro- tected. Change your passwords at least every 90 days. Any EPHI that is utilized or stored Ask the on a mobile device must also be encrypted. This includes accessing a web portal on the mobile devices web browser, SMS/text message, email or images. Expert Systems Engineer Don’t forget Other mobile devices items like USB flash drives, memory/smart cards, CDs, DVDs, PDAs, remote access devices and security hardware. Share this e-book!
HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 11 Tool Box Checklist  Mobile Security Tool Kit  Password Locks  Ability to enable auto password lock after __ minutes  HIPAA Security Guidance  What is a Covered Entity  Ability to remotely wipe mobile device if device is stolen or lost  Mobile Device Policy  Ability to log visits each time a mobile device connects to your network  Inventory Forms  Ability to perform surprise security checks  Inventory of all mobile devices – You need to know what you have in order to protect what you have Mobile Solutions  Policy Password locks on mobile devices  Policy to install available software updates to mobile devices  Policy to restrict the number of emails stored on the mobile device (Example: only Programming Mobile devices can have keep 3 days of email) programming installed that encrypts EPHI that is used or stored on it. Certain programming  Policy to only install approved software on device applications can record real-time messages for your practice’s records, and groups the messages  Policy to change password on mobile device every 90 days by threads. Features may also include remote disabling if the mobile device is lost or stolen.  Policy to review logs every __ days/months Network Filters Network Access  Policy to report when a device is lost or stolen ASAP Control (NAC) are filters deployed on network routers that make IT installed programs  Policy to report any data breach ASAP contingent upon use. If you think a tech-savvy staff member may try to remove or hack the  Policy to only backup mobile device on approved/secure computer programming from their phone, the filter would not allow access to your network.  Policy Bluetooth should only be used for passive devices (Example: hands free kits)  Policy to restrict use of mobile device while driving Share this e-book!
HIPAA & COMMUNICATION 12 Prevent Your Mobile Devices From Causing A HIPAA Violations Our Dedication To You Our Training Process We’ve given tools and education based on years of serving clients like you. When deciding Upon hire, we enter them into an extensive classroom based training setting where they are which business associate fits your needs, we recommend a partner that has dedicated time educated under the supervision of a dedicated and experienced training department on our and resources to protect you and your business. operating system and our focus on customer service. The training department has outlined eight levels of education. Each level has specialized training dependent upon the complexity of the accounts. Operators improve by advancing One of the ways we dedicate time and resources into through the different levels of education by completing training and testing. They receive our partnerships with our clients and friends is one-on-one training that is on going throughout their time employed at Dexcomm. The through our staff and their development. highest operator level to achieve is focused on our medical related fields. Our Hiring Process All new hires are put through an extensive application process involving several interviews with multiple company executives, background checks, drug screening and are required to sign a confidentiality agreement. This is to ensure that potential employees exemplify our core values, fit within our company culture and have the skills needed to serve our custom- ers. Since 1989, before HIPAA was implemented, Dexcomm focused on and conducted confi- dentiality training because of our long history and understanding of the medical community. Starting in 2003, operators were introduced to two subject matter experts (SMEs); one with a registered nurse (RN) who has over 25 years of experience and an attorney who is DANA LEWIS specialized in HIPAA regulations. The RN explains in detail what to expect when speaking with doctors, other nurses and various health-care providers. The attorney educates the operators on HIPAA rules and regulations. Our operators are then given a written test on Ask the both SMEs seminars. Expert Once the initial training program is completed, their education is not over; operators are moved into advanced training. In this ongoing phase, they attend monthly in-services and Training Supervisor are consistently monitored and evaluated by a large team of managers. The Training De- partment, who oversees this process, ensures HIPAA compliance, maintains our high-level of customer service and enforces quality control. Share this e-book!
HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 13 Your Voice. Heard. Appendices Please let us know if we can provide you with any additional information such as other e-books, white pages or our services. Acronyms ANSI – American National Standards Institute ARRA – American Recovery and Reinvestment Act of 2009 CMS – Centers for Medicare & Medicaid Services within the Department of Health and Human Services. EFS – Electronic Filing System Where can we EPHI – Electronic Protected Health Information connect with you? HIPAA – Health Insurance Portability and Accountability Act HITECH – The Health Information Technology for Economic and Clinical Health Act HHS – U.S. Department of Health and Human Services NAC – Network Access Control PDA – Personal Digital Assistant also known as a personal data assistant, is a mobile device that functions as a personal information manager. PHI – Protected Health Information Mary Beth Hettie Mary Beth Tipton Business Office Administrator Hettie Dunwoody Customer Service Officer Rachel McElroy Director of Strategic Planning & Glossary Corporate Communications Rachel Access. the ability or the means necessary to read, write, modify, or communicate A Special Thanks to data/information or otherwise use any system resource. 45 C.F.R. §164.304 Definitions Dexcomm Contributors Gil Brandon Access Control Standard. Implement technical policies and procedures for electronic Gil Brassard, Jr. Sales Manager information systems that maintain electronic protected health information to allow Brandon Victorian Customer Service Representative access only to those persons or software programs that have been granted access rights. 45 C.F.R. § 164.308(a)(4)[Information Access Management]. Share this e-book!
HIPAA & COMMUNICATION 14 (iii) A disclosure of protected health information where a covered entity or Prevent Your Mobile Devices From Causing A HIPAA Violations business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to re- tain such information. 1. Unique User Identification (Required) Covered Entity. The Administrative Simplification standards adopted by Health and 2. Emergency Access Procedure (Required) Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is: 3. Automatic Logoff (Addressable) 4. Encryption and Decryption (Addressable) a) a health care provider that conducts certain transactions in electronic form (called here a "covered health care provider") Addressable. Implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, b) a health care clearing house the organization must document why it is not reasonable and appropriate and adopt c) a health plan an equivalent measure if it is reasonable and appropriate to do so. 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306 (d)(3) Encryption. A method of converting an original message of regular text into encoded text. http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2021.html Administrative safeguards. Administrative actions, and policies and procedures, to man age the selection, development, implementation, and maintenance of security HITECH. The Health Information Technology for Economic and Clinical Health Act, en- measures to protect electronic protected health information and to manage the con- acted as part of the American Recovery and Reinvestment Act of 2009, was signed duct of the covered entity's workforce in relation to the protection of that information. into law on February 17, 2009, to promote the adoption and meaningful use of health 45 C.F.R. §164.304 Definitions information technology. Breach. The acquisition, access, use, or disclosure of protected health information in a Keys. Also known as encryption key, algorithms that transfer the data into streams or manner not permitted under subpart E of this part which compromises the security or blocks of seemingly random alphanumeric characters. An encryption key might en- privacy of the protected health information. 45 C.F.R.§ 164.402 Definitions. crypt, decrypt, or perform both functions, depending on the type of encryption software being used. WiseGEEK.com (1)(i) For purposes of this definition, compromises the security or privacy of the pro- tected health information means poses a significant risk of financial, reputational, or Programming. Designed to perform a specific function directly for the user or, in some other harm to the individual. cases, for another application program. [Examples of application programs include (ii) A use or disclosure of protected health information that does not include word processors; database programs; Web browsers; development tools; drawing, the identifiers listed at § 164.514(e)(2), date of birth, and zip code does not paint, and image editing programs; and communication programs. Application pro- compromise the security or privacy of the protected health information. grams use the services of the computer's operating system and other supporting pro- grams.] Techtarget.com/definition (2) Breach excludes: (i) Any unintentional acquisition, access, or use of protected health infor- Protected Health Information. Individually identifiable health information: mation by a workforce member or person acting under the authority of a cov- ered entity or a business associate, if such protected health information at a (1) Except as provided in paragraph covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associ- (2) of this definition, that is: ate, or organized health care arrangement in which the covered entity partici- (i) Transmitted by electronic media; pates, and the information received as a result of such disclosure is not fur- ther used or disclosed in a manner not permitted under subpart E of this part. (ii) Maintained in electronic media; or acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part. Share this e-book!
HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 15 (ii) Any inadvertent disclosure by a person who is authorized to access Works Cited (iii) Transmitted or maintained in any other form or medium. Dearing, Dan . "Five steps to securing mobile data for HIPAA compliance." SC Magazine. 1 Jul. 2008. 13 Feb. 2012. <http://www.scmagazine.com/five-steps-to-securing-mobile-data-for-hipaa- (2) Protected health information excludes individually identifiable health information compliance/article/112019/>. Dolan, Pamela L. "Data security breaches often triggered by carelessness." amednews.com. 22 Feb. 2010. 30 Jan. 2012. <http://www.ama-assn.org/ in: amednews/2010/02/22/bil20222.htm>. Dolan, Pamela L. "Smartphones blamed for increasing risk of health data breaches." amednews.com. (i) Education records covered by the Family Educational Rights and Privacy 19 Dec. 2011. 30 Jan. 2012. <www.ama- assn.org/amednews/2011/12/19/bil21219.htm>. Act, as amended, 20 U.S.C. 1232g; Dolan, Pamela L. "Health care's top 2012 issues: technology, social media, security." amed- news.com. 13 Dec. 2011.<www.ama-assn.org/amednews/2011/12/12/bisd1213.htm>. (ii) Records described at 20 U.S.C. 1232g (a)(4)(B)(iv); and Dolan, Pamela L. "Physician texting provides quick communication -- and an easy way to violate HIPAA." amednews.com. 31 Oct. 2011. 30 Jan. 2012. <http://www.ama-assn.org/ (iii) Employment records held by a covered entity in its role as employer. amednews/2011/10/31/bica1031.htm>. Eckelbecker, Lisa . "Health data Missing." Tele- gram.com. 9 2008. 8 Feb. 2012. <http://www.telegram.com/article/20080419/ NEWS/804190436/1116>. Physical safeguards. Physical measures, policies, and procedures to protect a covered "Guidance on Risk Analysis Requirements Under the HIPAA Security Rule." US Department of Health & entity's electronic information systems and related buildings and equipment, from nat- Human Services. 14 Jul. 2010.<http://www.hhs.gov/ocr/privacy/hipaa/administrative/ ural and environmental hazards, and unauthorized intrusion. 45 C.F.R.§164.304 securityrule/rafinalguidancepdf.pdf>. "HIPAA And Security Breaches: Most Frequent Issues and Causes, and Trends for Future Threats." Bay Bio: Northern California's Life Science Association. 3 Aug. 2011. 20 Feb. 2012. <http:// Privacy Rule. Requires a covered entity to have written policies and procedures as nec- www.baybio.org/events/details/hipaa-security-breaches-most-frequent-issues-causes-trends- essary to implement the privacy standards in the Rule and to train workforce members future-threats/>. on those policies and procedures, as necessary and appropriate for the workforce "HIPAA Email Encryption Requirements." HIPAA Email Compliance. 13 Feb. 2012. <http:// hipaaemailcompliance.org/hipaa-email-encryption-requirements/>. "HIPAA Security Guid- members to perform their functions. 45 C.F.R. § 164.530(b) ance." LogRhythm.com. 28 Dec. 2006.<http://www.logrhythm.com/LinkClick.aspx? fileticket=TXoFif%2B0MOU%3D&tabid=113>. Reasonable cause. Means circumstances that would make it unreasonable for the "HIPAA Security Rule: Frequently asked questions regarding encryption of personal health infor- covered entity, despite the exercise of ordinary business care and prudence, to comply mation." American Medical Association. 2010.<http://www.ama-assn.org/resources/doc/ psa/hipaa-phi-encryption.pdf>. "HIPAA Security Series - 4 Security Standards: Technical Safe- with the administrative simplification provision violated. 45 C.F.R. §160.401 guards." US Department of Health & Human Services. May. 2005.<http://www.hhs.gov/ocr/ privacy/hipaa/administrative/securityrule/techsafeguards.pdf>. "HITECH Requires a Health Security Rule. Establishes national standards to protect individuals’ electronic person- Check on Data Protection." Toughbloggers.com. 3 Feb. 2011. 2 2012. <http:// www.toughbloggers.com/2011/02/03/hitech-requires-a-health-check-on-data-protection/>. al health information that is created, received, used, or maintained by a covered enti- "Health Information Privacy: Summary of the HIPAA Privacy Rule." U.S. Department of Health & Human ty. The rule requires appropriate administrative, physical and technical safeguards to Services. 15 Feb. 2012. <http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ ensure the confidentiality, integrity, and security of electronic protected health infor- index.html>. Kissel, Richard . "NIST Special Publication: 800-88: Guidelines for Media Saniti- zation." National Institute of Standards & Technology. Sep. 2006>. mation. 45 C.F.R. §160 Leyden, John . "Lost mobiles to pile up in taxis in run up to Xmas." The register. 30 Nov. 2009. 7 Feb. 2012. <http://www.theregister.co.uk/2009/11/30/taxi_lost_kit_survey>. Technical safeguards. The technology and the policy and procedures for its use that Markus, Patricia A. "Cell Phone Camera Use in Healthcare Facilities: Shutter It." Smith Moore Leather- protect electronic protected health information and control access to it. 45C.F.R. wood. 29 Jan. 2009.<http://www.smithmoorelaw.com/files/Publication/0b479c5a-08e8- 4754-bff6-487214574a66/ Presentation/PublicationAttachment/6cd8d168-6601-4464- §164.304 b3eb-4a2d1e16dfee/20090129-hitnews-markuszuiker.pdf>. McGee, Marianne K. "How Secure Are Your Clinicians' Moblie Devices? ." Information Week. 16 Nov. Willful neglect. Conscious, intentional failure or reckless indifference to the obligation 2011. 8 Feb. 2012. <http://www.informationweek.com/news/healthcare/ to comply with the administrative simplification provision violated. 45 C.F.R.§160.401 mobilewireless/231903089>. Ralph, Chris . "Risk Analysis for HIPAA Compliancy." SANS. 6 Jan. 2005.<http://www.sans.org/reading_room/whitepapers/hipaa/risk-analysis-hipaa- compliancy_1554>. "Tattooed privates prove not so private." PogoWasRight.org. 10 Dec. 2007. 8 Feb. 2012. <news.yahoo.com/s/ap/20071220/ap_on_fe_st/ odd_tattoo_photo;_ylt=A0WTUe8ybWpH7CEB6iIDW7oF.> "What does "willful neglect" mean under HITECH/HIPAA?." LawtechTV.com. 7 Jul. 2009. <http:// www.lawtechtv.com/home/2009/07/what-does-willful-neglect-mean-underhitechhipaa.html>. Share this e-book!

Recommended

LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...
LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...
LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...Gladysmorayma Creamer Berrios
 
Dexcomm How to -Web OnCall
Dexcomm How to -Web OnCallDexcomm How to -Web OnCall
Dexcomm How to -Web OnCallDexcomm
 
Telephone Answering Service Considerations
Telephone Answering Service ConsiderationsTelephone Answering Service Considerations
Telephone Answering Service ConsiderationsDexcomm
 
How to Hire and Retain Superstar Employees
How to Hire and Retain Superstar EmployeesHow to Hire and Retain Superstar Employees
How to Hire and Retain Superstar EmployeesDexcomm
 
How to motivate your staff and improve employee morale
How to motivate your staff and improve employee moraleHow to motivate your staff and improve employee morale
How to motivate your staff and improve employee moraleDexcomm
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 

Recommended

LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...
LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...
LECTIO DIVINA DOMINICAL VI DE PASCUA ! QUIEN ME AMA GUARDARA MIS MANDAMIENTOS...Gladysmorayma Creamer Berrios
 
Dexcomm How to -Web OnCall
Dexcomm How to -Web OnCallDexcomm How to -Web OnCall
Dexcomm How to -Web OnCallDexcomm
 
Telephone Answering Service Considerations
Telephone Answering Service ConsiderationsTelephone Answering Service Considerations
Telephone Answering Service ConsiderationsDexcomm
 
How to Hire and Retain Superstar Employees
How to Hire and Retain Superstar EmployeesHow to Hire and Retain Superstar Employees
How to Hire and Retain Superstar EmployeesDexcomm
 
How to motivate your staff and improve employee morale
How to motivate your staff and improve employee moraleHow to motivate your staff and improve employee morale
How to motivate your staff and improve employee moraleDexcomm
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by HubspotMarius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTExpeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsPixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture CodeSkeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations Rajiv Jayarajah, MAppComm, ACC
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data ScienceChristy Abraham Joy
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slidesAlireza Esmikhani
 

More Related Content

Featured

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfmarketingartwork
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)contently
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsKurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summarySpeakerHub
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next Tessa Mero
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentLily Ray
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesVit Horky
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project managementMindGenius
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...RachelPearson36
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Applitools
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at WorkGetSmarter
 

Featured (20)

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 

How to Prevent Your Mobile Devices from Causing a HIPAA Violation

  • 1. HIPAA COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation © 2012 Dexcomm All Rights Reserved
  • 2. HIPAA & COMMUNICATION 2 Prevent Your Mobile Devices From Causing A HIPAA Violations INSIDE THIS ISSUE: Thank you for joining us for our brief introduction to HIPAA and mobile devices. As a telephone answering service serving hundreds of medical clients in many different states, we have developed strategies and skills which allow us to comply with HIPAA and to expertly serve our diverse clientele. This e-book is our effort to share our HIPAA, Medical Offices and Mobile Devices 4 experience with you and allow your office to quickly and easily become HIPAA compliant without undergoing the extensive research and expense we experienced. In doing research for this project, we came across two alarming facts: Approximately 80% of physicians use mobile devices to access Protected Health Information (PHI); only 40% of physicians place a mid-level priority on the security of their systems and Legislation 6 only 24% say it is a top priority. The reality is that physicians are using mobile devices more every day and many of the devices lack even the most basic security measures. Following a few simple steps suggested here and practicing your own due diligence can certainly save some heartache in the future. Note Board 9 Thanks for listening, How Do I Protect Mobile Devices 10 JAMEY HOPPER Tool Box & Checklist 11 Ask the Expert President Our Dedication To You 12 Appendices 13 Share this e-book!
  • 3. HIPAA & COMMUNICATION Meet the Experts Prevent Your Mobile Devices From Causing A HIPAA Violation 3 You are invited to “ASK THE EXPERT” found in the bottom right-hand corner of each section. JAMEY HOPPER President STEFFY RITTER DANA LEWIS Business Manager Training Supervisor KYLE DUHON KARL SCHOTT Systems Engineer Operations Supervisor Our e-books are designed to provide information about the subject matter covered. It is distributed with the understanding that the authors and the publisher are not engaged in rendering legal, accounting, or other professional services. If legal advice or other professional assistance is required, the services of a competent professional person should be sought. Share this e-book!
  • 4. HIPAA & COMMUNICATION 4 Prevent Your Mobile Devices From Causing A HIPAA Violations HIPAA, Medical Offices and Mobile Devices The amount of Protected Health Information (PHI) that could be on your employee’s phone is staggering. Access to the protected information can be as easy as unlocking a smart phone. Mobile devices collect and contain PHI such as a patient’s name and phone number or a picture of a patient’s wound while they were in the office for a routine visit. Are you prepared for a situation as simple as a member of your staff answering a call on their cell phone? Who has access to this information? What if when the employee is at home, their teenage daughter is playing with the mobile device and sees a text message that contains PHI? You now have a HIPAA violation. There is even the possibility that the daughter sees a name she recognizes and places the information on Facebook, Twitter or any other social media site. KARL SCHOTT Ask the Expert You will find a downloadable Mobile Device Policy that you can customize to your office’s needs in the Operations Supervisor Toolbox Section. Share this e-book!
  • 5. HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 5 Here are just a few questions that you may want to... ask your staff think about discuss Is your smart phone password protected? Are your employees aware of the different settings within their phones for text messages? With the production of newer and There are settings which will allow only a more “tech savvy” smart phones which number or a name of the person texting to now have the capability of reading be visible. aloud an incoming text message, what procedures does your office have in place from preventing persons not privy to that information from hearing these text messages? When your office experiences a turnover in staff, are the proper procedures being followed with updates and removals of old information with new information to prevent the release of PHI to the wrong person? Are you documenting a patient’s history, such as wounds, with your camera phone? How is this patient’s EPHI protected on your phone to Are you a home health or hospice agency providing medical avoid violating HIPAA regulations? services within the homes of patients? Do your nurses answer their cell phones within the patient’s home? Are they removing themselves from the current patient’s home to avoid HIPAA violation when taking a message regarding another patient? Share this e-book!
  • 6. HIPAA & COMMUNICATION 6 Prevent Your Mobile Devices From Causing A HIPAA Violations Health Insurance Portability and Accountability Act The guidance that started as an attempt for consumers to keep their health information pri- Congress realized that the advancements in technology called for additional legislation to vate and make their insurance portable has become a large legislative issue. Health Insurance protect the privacy of an individual’s health information known as Protected Health Infor- Portability and Accountability Act (HIPAA) was enacted in 1996 and updated in 2000, mation (PHI). The Privacy Rule sets standards to protect PHI transmitted electronically by 2002, 2003, 2004, 2005 and 2006! While there are many aspects that we can discuss about three covered entities; health plans, healthcare clearing houses and healthcare providers. HIPAA, we are going to focus on the specific legislation as it relates to mobile devices. The Security Rule sets standards for protecting the confidentiality, integrity and availability of all electronic PHI created, received, maintained or transmitted. The Office for Civil Rights oversees and enforces the Privacy Rule and the Security Rule. So what is protected under the Privacy Rule? Case Study Electronic Protected Health Information (EPHI) is any “individually identifiable health information maintained in electronic media or transmitted or maintained in any other form or medium”. As you can imagine, this could include everything from a patient’s A healthcare system that services Massachusetts had to send 384 letters name to private medical history. Basically, anything that would identify someone. Any notifying patients that a home health nurse’s PDA was missing. The mobile number of pieces of EPHI could be on a mobile device in order for a physician to serve device contained patients’ personal information which included social security his or her patient. Due to sensitivity of the information, it must be secured. numbers and health insurance information. The primary use of the PDA was to document care while the nurse visited with patients. Each nurse’s PDA is connected to the healthcare’s system, which updates the electronic medical records at the end of the day. STEFFY RITTER The nurse reported the loss of the PDA immediately, but the report did not reach the compliance officer for several weeks due to a “lapse of Ask the communication.” Expert The mobile device was not encrypted but did require a password. Reportedly, the healthcare system would not discount a hacker’s ability to get past the Business Manager password. They offered the patients a “security freeze” on their credit reports, and conducted in-house training on HIPAA security with all their staff. Share this e-book!
  • 7. HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 7 Security Rule Methods of protection are broken down into three categories of safeguards; administrative, physical and technical. Administrative Safeguards The covered entity must identify and analyze potential risks and implement security measures that reduce Have you trained your staff on the on the proper all of your staff proper way to those risks and vulnerabilities to a reasonable and secure their mobile device according to your to your way to secure their mobile device according policy? appropriate level. policy? How many records are stored on the device? How many records are stored on the device? Physical Safeguards Implement policies and procedures regarding the transfer, disposal and reuse of electronic media. When Do your mobile devices all have passwords and are your staff members receive a new mobile device, the the passwords changed frequently? old one that contains PHI stored on it must be disposed of properly. Ensure that disposed office machinery, Is the data encrypted on their mobile devices? such as fax machines, do not contain retrievable PHI. Where is the mobile device kept if it is not being Where is the mobile device kept is it not being used? Technical Safeguards used? This section deals with access control and encryption to Does anyone in your office frequently take their Does anyone in yourwith them? mobile device home office frequently take their make sure that only those authorized view PHI and that mobile device home with them? transmission of data is secure. So what does that really mean? It means that all PHI that is stored in any format must be protected and staff must be trained with all of your procedures that accomplish said protection. Share this e-book!
  • 8. HIPAA & COMMUNICATION 8 Prevent Your Mobile Devices From Causing A HIPAA Violations Health Information Technology for Economic and Clinical Health Act, 2009 The Health Information Technology for Economic and Clinical Health (HITECH) Act was CPA, attorney, and other professional service organizations that may see PHI also signed into law as part of the American Recovery and Reinvestment (ARRA) Act of 2009. have to comply. Penalties have increased and are now being levied. Fines range The main focus of HITECH was to encourage the use of health information technology. from $100 in a “did not know” offense to $1,500,000 for “willful neglect”. If a breach does happen that contains over 500 records, the media must be Several changes were made with this legislation, including that business associates notified. Finally, each State Attorney General may now prosecute separately are now subject to the same requirements as covered entities. Not only do you from the Department of Health and Hospitals Secretary (HHS), making fines a have to comply with all of the HIPAA rules but now your answering service, serious issue in the event of a breach. So what does this really mean? Given all of the above legislation and the large number of mobile devices on the market and in our businesses today, it has become difficult for physician offices and their business associates to manage all of the devices. Everything from a USB flash drive to an electronic tablet or even a camera phone has become a potential source of a PHI breach. It is important that you craft a mobile device policy that allows you to reasonably meet all of the rules. Administering this policy and knowing that you have done what the law requires will allow you a better night’s sleep. Case Study December 11, 2007. Dr. Adam Hansen, Chief Resident of General Surgery at Enforcement Results. January 1, 2010 through December 31, 2010. the Mayo Clinic Phoenix Hospital, admitted taking inappropriate photos of a Accessed 15 Feb. 2012. <http://www.hhs.gov/ocr/privacy/hipaa/enforcement/data/historicalnumbers.html> patient, who was under anesthesia during an operation, and showing the pictures to his colleagues. The doctor is no longer employed with Mayo and the patient contacted his attorney. Share this e-book!
  • 9. HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 9 NOTE BOARD in a Case Study evices mobile d ses for Com mon u tting: clin ical se Mobile devices are not only used to input information, but they can also be abase nt dat on used maliciously with the digital camera found in the cell phone. Rady *Patie t informati tac *Con sults Children’s Hospital in San Diego, CA forbade employees from carrying cell re *Test y schedules phones after investigators found photos of children on a respiratory therapist’s r *Surge ure lists computer and cell phone. The therapist had been molesting many of the ed *Proc iptions r *Presc severely disabled children while under his care. The therapist later pleaded guilty to child molestation and pornography and was sentenced to 45 years in prison. Note: The Office of Civil Rights (OCR) will notify a covered entity of a Transmitting text messages without encryption that has private health Failure to Comply and provide them information is as easy as two doctors texting each other to follow up on the opportunity to produce written the previous days patients. One doctor might text, “What happened with evidence of above circumstances that that critical patient last night.” The other doctor might respond, “She was diagnosed with an infection, admitted to the hospital, room 214.” would reduce or bar a penalty. For the spying eyes in a crowded elevator, they would have all the iden- tifiable information for that patient including the gender, the diagnosis, and the room the patient was located to cause a breach in HIPAA. Share this e-book!
  • 10. HIPAA & COMMUNICATION 10 Prevent Your Mobile Devices From Causing A HIPAA Violations How Do I Protect Mobile Devices... Technical Safeguards There are three safeguards to protect your mobile devices that are used to access or store If the electronic PHI is stored and transmitted in encrypted form, then you do not need to EPHI under the responsibility of a HIPAA compliant entity utilizing HIPAA’s Security notify patients if there is a security breach. Any data can be encrypted. Encryption is a Rule. process that converts plain text into cipher text that is unreadable to any unintended enti- ty who has accessed the file without “permission.” It works by using a mathematical algo- Administrative Safeguards rithm called keys that code and decode the cipher text. This process is performed by com- Start by taking an inventory of all of the devices within your practice that are used to puter programs or specific hardware access and/or store EPHI. We recommend including what the device is intended for in designed for this purpose. regards to use/access to EPHI. To take this up a level, include the operating system the HHS states that any HIPAA compliant device is using. Remember your inventory will need regular updating depending on entity is not exempt from the breach changes in employment and system updates. Tip: Set reminders in your calendar. notification requirements if the entity Review your practice’s policies to make sure they encompass mobile devices. Training keeps the keys on the same device as and enforcement is, as always, the key to your practice’s success. the encrypted data. Ask your vendor before selecting your encryption prod- Physical Safeguards uct. Keys can be stored on a USB flash drive, a key server or be regenerated as Just like anything you want to protect, keep it in a safe location. Ensure that all devices needed. For more information visit are never left unattended, and are locked in a drawer or in an office when not in use. HIPAA Security Rule FAQ Regarding When outside of your office, make sure the device is either always with the person re- Encryption. On your computer, pro- sponsible for it or in a secure location such as a glove box or car trunk. It only takes a grams such as Microsoft® Encrypting second for someone to grab such a small item. Remember that if the item is lost or sto- File System (EFS) are built-in encryp- len, report it immediately! tion programs that are easy to use by just changing the properties of the folder. Click here for a full list of programs. KYLE DUHON The same protection extends to your mobile devices, which should also be password pro- tected. Change your passwords at least every 90 days. Any EPHI that is utilized or stored Ask the on a mobile device must also be encrypted. This includes accessing a web portal on the mobile devices web browser, SMS/text message, email or images. Expert Systems Engineer Don’t forget Other mobile devices items like USB flash drives, memory/smart cards, CDs, DVDs, PDAs, remote access devices and security hardware. Share this e-book!
  • 11. HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 11 Tool Box Checklist  Mobile Security Tool Kit  Password Locks  Ability to enable auto password lock after __ minutes  HIPAA Security Guidance  What is a Covered Entity  Ability to remotely wipe mobile device if device is stolen or lost  Mobile Device Policy  Ability to log visits each time a mobile device connects to your network  Inventory Forms  Ability to perform surprise security checks  Inventory of all mobile devices – You need to know what you have in order to protect what you have Mobile Solutions  Policy Password locks on mobile devices  Policy to install available software updates to mobile devices  Policy to restrict the number of emails stored on the mobile device (Example: only Programming Mobile devices can have keep 3 days of email) programming installed that encrypts EPHI that is used or stored on it. Certain programming  Policy to only install approved software on device applications can record real-time messages for your practice’s records, and groups the messages  Policy to change password on mobile device every 90 days by threads. Features may also include remote disabling if the mobile device is lost or stolen.  Policy to review logs every __ days/months Network Filters Network Access  Policy to report when a device is lost or stolen ASAP Control (NAC) are filters deployed on network routers that make IT installed programs  Policy to report any data breach ASAP contingent upon use. If you think a tech-savvy staff member may try to remove or hack the  Policy to only backup mobile device on approved/secure computer programming from their phone, the filter would not allow access to your network.  Policy Bluetooth should only be used for passive devices (Example: hands free kits)  Policy to restrict use of mobile device while driving Share this e-book!
  • 12. HIPAA & COMMUNICATION 12 Prevent Your Mobile Devices From Causing A HIPAA Violations Our Dedication To You Our Training Process We’ve given tools and education based on years of serving clients like you. When deciding Upon hire, we enter them into an extensive classroom based training setting where they are which business associate fits your needs, we recommend a partner that has dedicated time educated under the supervision of a dedicated and experienced training department on our and resources to protect you and your business. operating system and our focus on customer service. The training department has outlined eight levels of education. Each level has specialized training dependent upon the complexity of the accounts. Operators improve by advancing One of the ways we dedicate time and resources into through the different levels of education by completing training and testing. They receive our partnerships with our clients and friends is one-on-one training that is on going throughout their time employed at Dexcomm. The through our staff and their development. highest operator level to achieve is focused on our medical related fields. Our Hiring Process All new hires are put through an extensive application process involving several interviews with multiple company executives, background checks, drug screening and are required to sign a confidentiality agreement. This is to ensure that potential employees exemplify our core values, fit within our company culture and have the skills needed to serve our custom- ers. Since 1989, before HIPAA was implemented, Dexcomm focused on and conducted confi- dentiality training because of our long history and understanding of the medical community. Starting in 2003, operators were introduced to two subject matter experts (SMEs); one with a registered nurse (RN) who has over 25 years of experience and an attorney who is DANA LEWIS specialized in HIPAA regulations. The RN explains in detail what to expect when speaking with doctors, other nurses and various health-care providers. The attorney educates the operators on HIPAA rules and regulations. Our operators are then given a written test on Ask the both SMEs seminars. Expert Once the initial training program is completed, their education is not over; operators are moved into advanced training. In this ongoing phase, they attend monthly in-services and Training Supervisor are consistently monitored and evaluated by a large team of managers. The Training De- partment, who oversees this process, ensures HIPAA compliance, maintains our high-level of customer service and enforces quality control. Share this e-book!
  • 13. HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 13 Your Voice. Heard. Appendices Please let us know if we can provide you with any additional information such as other e-books, white pages or our services. Acronyms ANSI – American National Standards Institute ARRA – American Recovery and Reinvestment Act of 2009 CMS – Centers for Medicare & Medicaid Services within the Department of Health and Human Services. EFS – Electronic Filing System Where can we EPHI – Electronic Protected Health Information connect with you? HIPAA – Health Insurance Portability and Accountability Act HITECH – The Health Information Technology for Economic and Clinical Health Act HHS – U.S. Department of Health and Human Services NAC – Network Access Control PDA – Personal Digital Assistant also known as a personal data assistant, is a mobile device that functions as a personal information manager. PHI – Protected Health Information Mary Beth Hettie Mary Beth Tipton Business Office Administrator Hettie Dunwoody Customer Service Officer Rachel McElroy Director of Strategic Planning & Glossary Corporate Communications Rachel Access. the ability or the means necessary to read, write, modify, or communicate A Special Thanks to data/information or otherwise use any system resource. 45 C.F.R. §164.304 Definitions Dexcomm Contributors Gil Brandon Access Control Standard. Implement technical policies and procedures for electronic Gil Brassard, Jr. Sales Manager information systems that maintain electronic protected health information to allow Brandon Victorian Customer Service Representative access only to those persons or software programs that have been granted access rights. 45 C.F.R. § 164.308(a)(4)[Information Access Management]. Share this e-book!
  • 14. HIPAA & COMMUNICATION 14 (iii) A disclosure of protected health information where a covered entity or Prevent Your Mobile Devices From Causing A HIPAA Violations business associate has a good faith belief that an unauthorized person to whom the disclosure was made would not reasonably have been able to re- tain such information. 1. Unique User Identification (Required) Covered Entity. The Administrative Simplification standards adopted by Health and 2. Emergency Access Procedure (Required) Human Services (HHS) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) apply to any entity that is: 3. Automatic Logoff (Addressable) 4. Encryption and Decryption (Addressable) a) a health care provider that conducts certain transactions in electronic form (called here a "covered health care provider") Addressable. Implementation specification is not optional; rather, if an organization determines that the implementation specification is not reasonable and appropriate, b) a health care clearing house the organization must document why it is not reasonable and appropriate and adopt c) a health plan an equivalent measure if it is reasonable and appropriate to do so. 68 FR 8334, 8336 (Feb. 20, 2003); 45 C.F.R. § 164.306 (d)(3) Encryption. A method of converting an original message of regular text into encoded text. http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2021.html Administrative safeguards. Administrative actions, and policies and procedures, to man age the selection, development, implementation, and maintenance of security HITECH. The Health Information Technology for Economic and Clinical Health Act, en- measures to protect electronic protected health information and to manage the con- acted as part of the American Recovery and Reinvestment Act of 2009, was signed duct of the covered entity's workforce in relation to the protection of that information. into law on February 17, 2009, to promote the adoption and meaningful use of health 45 C.F.R. §164.304 Definitions information technology. Breach. The acquisition, access, use, or disclosure of protected health information in a Keys. Also known as encryption key, algorithms that transfer the data into streams or manner not permitted under subpart E of this part which compromises the security or blocks of seemingly random alphanumeric characters. An encryption key might en- privacy of the protected health information. 45 C.F.R.§ 164.402 Definitions. crypt, decrypt, or perform both functions, depending on the type of encryption software being used. WiseGEEK.com (1)(i) For purposes of this definition, compromises the security or privacy of the pro- tected health information means poses a significant risk of financial, reputational, or Programming. Designed to perform a specific function directly for the user or, in some other harm to the individual. cases, for another application program. [Examples of application programs include (ii) A use or disclosure of protected health information that does not include word processors; database programs; Web browsers; development tools; drawing, the identifiers listed at § 164.514(e)(2), date of birth, and zip code does not paint, and image editing programs; and communication programs. Application pro- compromise the security or privacy of the protected health information. grams use the services of the computer's operating system and other supporting pro- grams.] Techtarget.com/definition (2) Breach excludes: (i) Any unintentional acquisition, access, or use of protected health infor- Protected Health Information. Individually identifiable health information: mation by a workforce member or person acting under the authority of a cov- ered entity or a business associate, if such protected health information at a (1) Except as provided in paragraph covered entity or business associate to another person authorized to access protected health information at the same covered entity or business associ- (2) of this definition, that is: ate, or organized health care arrangement in which the covered entity partici- (i) Transmitted by electronic media; pates, and the information received as a result of such disclosure is not fur- ther used or disclosed in a manner not permitted under subpart E of this part. (ii) Maintained in electronic media; or acquisition, access, or use was made in good faith and within the scope of authority and does not result in further use or disclosure in a manner not permitted under subpart E of this part. Share this e-book!
  • 15. HIPAA & COMMUNICATION Prevent Your Mobile Devices From Causing A HIPAA Violation 15 (ii) Any inadvertent disclosure by a person who is authorized to access Works Cited (iii) Transmitted or maintained in any other form or medium. Dearing, Dan . "Five steps to securing mobile data for HIPAA compliance." SC Magazine. 1 Jul. 2008. 13 Feb. 2012. <http://www.scmagazine.com/five-steps-to-securing-mobile-data-for-hipaa- (2) Protected health information excludes individually identifiable health information compliance/article/112019/>. Dolan, Pamela L. "Data security breaches often triggered by carelessness." amednews.com. 22 Feb. 2010. 30 Jan. 2012. <http://www.ama-assn.org/ in: amednews/2010/02/22/bil20222.htm>. Dolan, Pamela L. "Smartphones blamed for increasing risk of health data breaches." amednews.com. (i) Education records covered by the Family Educational Rights and Privacy 19 Dec. 2011. 30 Jan. 2012. <www.ama- assn.org/amednews/2011/12/19/bil21219.htm>. Act, as amended, 20 U.S.C. 1232g; Dolan, Pamela L. "Health care's top 2012 issues: technology, social media, security." amed- news.com. 13 Dec. 2011.<www.ama-assn.org/amednews/2011/12/12/bisd1213.htm>. (ii) Records described at 20 U.S.C. 1232g (a)(4)(B)(iv); and Dolan, Pamela L. "Physician texting provides quick communication -- and an easy way to violate HIPAA." amednews.com. 31 Oct. 2011. 30 Jan. 2012. <http://www.ama-assn.org/ (iii) Employment records held by a covered entity in its role as employer. amednews/2011/10/31/bica1031.htm>. Eckelbecker, Lisa . "Health data Missing." Tele- gram.com. 9 2008. 8 Feb. 2012. <http://www.telegram.com/article/20080419/ NEWS/804190436/1116>. Physical safeguards. Physical measures, policies, and procedures to protect a covered "Guidance on Risk Analysis Requirements Under the HIPAA Security Rule." US Department of Health & entity's electronic information systems and related buildings and equipment, from nat- Human Services. 14 Jul. 2010.<http://www.hhs.gov/ocr/privacy/hipaa/administrative/ ural and environmental hazards, and unauthorized intrusion. 45 C.F.R.§164.304 securityrule/rafinalguidancepdf.pdf>. "HIPAA And Security Breaches: Most Frequent Issues and Causes, and Trends for Future Threats." Bay Bio: Northern California's Life Science Association. 3 Aug. 2011. 20 Feb. 2012. <http:// Privacy Rule. Requires a covered entity to have written policies and procedures as nec- www.baybio.org/events/details/hipaa-security-breaches-most-frequent-issues-causes-trends- essary to implement the privacy standards in the Rule and to train workforce members future-threats/>. on those policies and procedures, as necessary and appropriate for the workforce "HIPAA Email Encryption Requirements." HIPAA Email Compliance. 13 Feb. 2012. <http:// hipaaemailcompliance.org/hipaa-email-encryption-requirements/>. "HIPAA Security Guid- members to perform their functions. 45 C.F.R. § 164.530(b) ance." LogRhythm.com. 28 Dec. 2006.<http://www.logrhythm.com/LinkClick.aspx? fileticket=TXoFif%2B0MOU%3D&tabid=113>. Reasonable cause. Means circumstances that would make it unreasonable for the "HIPAA Security Rule: Frequently asked questions regarding encryption of personal health infor- covered entity, despite the exercise of ordinary business care and prudence, to comply mation." American Medical Association. 2010.<http://www.ama-assn.org/resources/doc/ psa/hipaa-phi-encryption.pdf>. "HIPAA Security Series - 4 Security Standards: Technical Safe- with the administrative simplification provision violated. 45 C.F.R. §160.401 guards." US Department of Health & Human Services. May. 2005.<http://www.hhs.gov/ocr/ privacy/hipaa/administrative/securityrule/techsafeguards.pdf>. "HITECH Requires a Health Security Rule. Establishes national standards to protect individuals’ electronic person- Check on Data Protection." Toughbloggers.com. 3 Feb. 2011. 2 2012. <http:// www.toughbloggers.com/2011/02/03/hitech-requires-a-health-check-on-data-protection/>. al health information that is created, received, used, or maintained by a covered enti- "Health Information Privacy: Summary of the HIPAA Privacy Rule." U.S. Department of Health & Human ty. The rule requires appropriate administrative, physical and technical safeguards to Services. 15 Feb. 2012. <http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/ ensure the confidentiality, integrity, and security of electronic protected health infor- index.html>. Kissel, Richard . "NIST Special Publication: 800-88: Guidelines for Media Saniti- zation." National Institute of Standards & Technology. Sep. 2006>. mation. 45 C.F.R. §160 Leyden, John . "Lost mobiles to pile up in taxis in run up to Xmas." The register. 30 Nov. 2009. 7 Feb. 2012. <http://www.theregister.co.uk/2009/11/30/taxi_lost_kit_survey>. Technical safeguards. The technology and the policy and procedures for its use that Markus, Patricia A. "Cell Phone Camera Use in Healthcare Facilities: Shutter It." Smith Moore Leather- protect electronic protected health information and control access to it. 45C.F.R. wood. 29 Jan. 2009.<http://www.smithmoorelaw.com/files/Publication/0b479c5a-08e8- 4754-bff6-487214574a66/ Presentation/PublicationAttachment/6cd8d168-6601-4464- §164.304 b3eb-4a2d1e16dfee/20090129-hitnews-markuszuiker.pdf>. McGee, Marianne K. "How Secure Are Your Clinicians' Moblie Devices? ." Information Week. 16 Nov. Willful neglect. Conscious, intentional failure or reckless indifference to the obligation 2011. 8 Feb. 2012. <http://www.informationweek.com/news/healthcare/ to comply with the administrative simplification provision violated. 45 C.F.R.§160.401 mobilewireless/231903089>. Ralph, Chris . "Risk Analysis for HIPAA Compliancy." SANS. 6 Jan. 2005.<http://www.sans.org/reading_room/whitepapers/hipaa/risk-analysis-hipaa- compliancy_1554>. "Tattooed privates prove not so private." PogoWasRight.org. 10 Dec. 2007. 8 Feb. 2012. <news.yahoo.com/s/ap/20071220/ap_on_fe_st/ odd_tattoo_photo;_ylt=A0WTUe8ybWpH7CEB6iIDW7oF.> "What does "willful neglect" mean under HITECH/HIPAA?." LawtechTV.com. 7 Jul. 2009. <http:// www.lawtechtv.com/home/2009/07/what-does-willful-neglect-mean-underhitechhipaa.html>. Share this e-book!